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EXAMINER'S ANSWER 



This is in response to the appeal brief filed 9 February 2009 appealing from the Office 
action mailed 9 September 2008. 
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The appeal brief is filed in the new format under the revised BPAI final rule 
before the effective date of the BPAI final rule. The Office published the BPAI 
final rule to amend the rules governing practice before the BPAI in ex parte 
patent appeals. See Rules of Practice Before the Board of Patent Appeals and 
Interferences in Ex Parte Appeals; Final Rule, 73 FR 32938 (June 10, 2008), 
1332 Off Gaz. Pat. Office 47 (July 1, 2008). However, the effective date for the 
BPAI final rule has been delayed. See Rules of Practice Before the Board of 
Patent Appeals and Interferences in Ex Parte Appeals; Delay of Effective and 
Applicability Dates, 73 FR 74972 (December 10, 2008). In the notice published 
on November 20, 2008, the Office indicated that the Office will not hold an 
appeal brief as non-compliant solely for following the new format even though 
it is filed before the effective date. See Clarification of the Effective Date 
Provision in the Final Rule for Ex Parte Appeals, 73 FR 70282 (November 20, 
2008). Since the appeal brief is otherwise acceptable, the Office has accepted 
the appeal brief filed by appellant. 



(1) Real Party in Interest 

A statement identifying by name the real party in interest is contained in the brief. 
(4) Status of Amendments After Final 

The appellant's statement of the status of amendments after final rejection contained in 
the brief is correct. 

(6) Grounds of Rejection to be Reviewed on Appeal 

The appellant's statement of the grounds of rejection to be reviewed on appeal is correct. 

(7) Claims Appendix 

The copy of the appealed claims contained in the Appendix to the brief is correct. 

(8) Evidence Relied Upon 

Bhagavatula et al. US Patent 7,140,036 

Graves et al. US Patent Application Publication 2004/0177047 
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(9) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 
Claims 1-3, are rejected under 35 U.S.C. 102(e) as being anticipated by Bhagavatula et al. U.S. 
Patent No. 7,140,036 (hereinafter '036). 

Regarding claim 1, as per the first limitation "A method of authenticating a digitally 
encoded product being originated by an entity having at least one authorized subject, the 
method including the steps of: a client system transmitting a request of authentication of 
the product to a server system" is taught in '036 col. 8, lines 20-25, note "The request 
processing procedure 308 retrieves the information or data requested by the user 40 from the 
respective vendors 30a-n, and forward the same back to the user 40, e.g., via a requested 
information page 310". Also note the vendors are authenticated in col. 6, lines 25-29, "With 
additional reference to FIG. 3, the entities or vendors 30a-n are also registered to participate in 
the system A. Preferably, the agent 10 administers the vendor registration process 200. The 
vendor registration process 200 is similar to the user registration process 100. It preferably is 
carried out online. In a preferred embodiments, via the server 12, the agent 10 provides". 
Therefore Bhagavatula teaches authenticating encoded products and an authorized subject, i.e. 
authenticated user requesting authentication of the product, because they are utilizing the agent 
system that authenticates the vendors. 

As per the second limitation "and returning a representation of the certification to the 
client system" is shown in '036 col. 8, lines 54-67, note the Examiner interprets the 'data 
selection page' equivalent to 'a representation of the certification'; 
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As per the third limitation "the server system verifying whether the request is 
received from an authorized subject, and responsive to a positive verification: certifying 
that the product originates from the entity using sensitive information of the entity stored 

on the server system" is disclosed in '036 col. 7, line 57 through col. 8, line 25, note 
Bhagavatula clearly teaches that sensitive information, i.e. 'passwords, PINs, biometric data, and 
security questions' is stored by the agent, or 'server system'. In addition Bhagavatula teaches 
that the vendors are authenticated using similar methods as the user authentication. Therefore 
regardless of who the 'entity' is Bhagavatula teaches the claim limitation, 'certifying ... using 
sensitive information'. 

Regarding claim 2, "wherein the step of verifying whether the request is received 
from an authorized subject includes: comparing an address of the client system with an 
indication of authorized addresses stored on the server system" is taught in '036 col. 5, 
lines 5-14. 

Regarding claim 3, "wherein the step of verifying whether the request is received 
from an authorized subject includes: comparing an identifier of a user logged on the client 
system with an indication of authorized users stored on the server system" is shown in '036 
col. 8, lines 2-10. 

Claims 4-8, are rejected under 35 U.S.C. 103(a) as being unpatentable over Bhagavatula et al. 
U.S. Patent No. 7,140,036 (hereinafter '036) in view of Graves et al. U.S. Patent Application 
Publication No. 2004/0177047 (hereinafter '047). 
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Regarding claim 4, "wherein the step of certifying includes: automatically retrieving 
a private key of the entity stored on the server system, and digitally signing the product 
using the private key" however '047 teaches that the PTA and private keys may be hosted in a 
number of locations such as a separate server, and that the authentication process is carried out 
without human participation (i.e. automatically), and furthermore that the private key is used to 
create the digital signature on pages 5-6, paragraphs 0050 and 0052-0053. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
of a centralized identity authentication for electronic communication network taught in '036 to 
include a means to utilize private keys for authentication. One of ordinary skill in the art would 
have been motivated to perform such a modification because there is a need for buyer 
authentication in online purchases see '047 (page 2, paragraph 011) "Thus, there is a need for 
substantial buyer authentication in online commerce transactions. There is further a need for an 
approach to buyer authentication which is also flexible enough to easily adapt to varying levels 
of security for different applications and also to the adoption of new technologies. The approach 
preferably also does not impose significant burdens on or require extensive modification of the 
existing transaction processing infrastructure". 

Regarding claim 5, "wherein the step of automatically retrieving the private key 
includes: calling a signing command passing a password for accessing the private key as a 
parameter" is taught in '047 page 6, paragraph 0053. 

Regarding claim 6, "wherein the step of automatically retrieving the private key 
includes: calling a signing command with an option causing the import of the private key 
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from a private configuration memory area of the server system" is shown in 047 

pages 5-6, paragraphs 0050 and 0052-0053. 

Regarding claim 7, "further including the steps of: the client system invoking a 
remote command on the server system, the server system verifying whether the remote 
command is included in a predefined list stored on the server system, the list including at 
least one remote command for satisfying the request of authentication, and the server 
system executing the remote command if included in the list" is disclosed in 047 pages 5-6, 
paragraphs 0050 and 0052-0053. 

Regarding claim 8, as per the first limitation, "A method of authenticating a software 
product being originated by an entity having at least one authorized subject, the method 
including the steps of: a client system transmitting a request of authentication of the 
product to a server system" is taught in '036 col. 8, line 20-31, note "The request processing 
procedure 308 retrieves the information or data requested by the user 40 from the respective 
vendors 30a-n, and forward the same back to the user 40, e.g., via a requested information page 
310". Also note the vendors are authenticated in col. 6, lines 25-29, "With additional reference 
to FIG. 3, the entities or vendors 30a-n are also registered to participate in the system A. 
Preferably, the agent 10 administers the vendor registration process 200. The vendor registration 
process 200 is similar to the user registration process 100. It preferably is carried out online. In 
a preferred embodiments, via the server 12, the agent 10 provides". Therefore Bhagavatula 
teaches authenticating encoded products and an authorized subject, i.e. authenticated user 
requesting authentication of the product, because they are utilizing the agent system that 
authenticates the vendors. 
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As per the second limitation "the server system verifying whether the request is 
received from an authorized subject, and responsive to a positive verification:" is disclosed 
in '036 col. 7, line 57 through col. 8, line 25; 

As per the third limitation "generating a digital signature of the product using a 
private key of the entity stored on the server system" however 047 teaches that the PTA and 
private keys may be hosted in a number of locations such as a separate server, and that the 
authentication process is carried out without human participation (i.e. automatically), and 
furthermore that the private key is used to create the digital signature on pages 5-6, paragraphs 
0050 and 0052-0053; 

As per the fourth limitation "and returning the digital signature to the client system, 
wherein the digital signature certifies that the product originates from the entity" however 
'47 teaches that a digital record of the transaction can by shown with the digital signatures on 
page 6, paragraph 0056. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
of a centralized identity authentication for electronic communication network taught in '036 to 
include a means to utilize private keys for authentication. One of ordinary skill in the art would 
have been motivated to perform such a modification because there is a need for buyer 
authentication in online purchases see '047 (page 2, paragraph 011) "Thus, there is a need for 
substantial buyer authentication in online commerce transactions. There is further a need for an 
approach to buyer authentication which is also flexible enough to easily adapt to varying levels 
of security for different applications and also to the adoption of new technologies. The approach 
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preferably also does not impose significant burdens on or require extensive modification of the 
existing transaction processing infrastructure". 



(10) Response to Argument 

I) In response to applicant's argument, on pages 7-1 1 "Nowhere in this section, or in any 
other section of Bhagavatula, is there a teaching of a client system transmitting a request of 
authentication of the product to a server system ". 

The Examiner disagrees the agent of the Bhagavatula teaches that both the user and vendor are 
authenticated. Users using the agent system in Bhagavatula are requesting that all vendors that 
they interact with through the system are authenticated. Therefore the users request for a product 
through the agent system is equivalent to 'a request of authentication of the product'. 

II) In response to applicant's argument, on pages 11-14 "Nowhere in this section, or in any 
other section of Bhagavatula, is there a teaching of certifying that the product originates from 
the entity using sensitive information of the entity stored on the server system ". 

The Examiner disagrees with the argument for multiple reasons. One as pointed out in the Final 
Office action the 1 12 rejection that was placed on the claims because the language does not 
clearly define the term "entity", is removed however the Examiner interprets the term 'entity' to 
be in reference to the user. That is why the sections detailing user authentication are pointed to 
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in the rejection. In addition although the claim language is not clear, who is the entity the client, 
the server system, or someone else (i.e. the vendor), Bhagavatula teaches that the vendor's are 
authenticated using similar steps as the users in col. 6, lines 25-46. Therefore it is understood 
that the vendors, i.e. the entity are authenticated using sensitive information. 

III) In response to applicant's argument, on pages 14-15 "Further, Bhagavatula fails to teach 
returning a representation of the certification to the client system " 

The Examiner disagrees with the argument as noted in the Final Office action the page returned 
by the agent to the user is interpreted equivalent to the representation of the certification to the 
client system, see col. 8, lines 32-67. 

IV) In response to applicant's argument, on page 15 "Appellants present here for the first 
time the following arguments. As discussed above, the data access by the user is not 
authenticated. That is, Bhagavatula merely authenticates a user and if the user is authenticated 
the user is able to access the data. The data in Bhagavatula is never authenticated. That is, in 
Bhagavatula only the user is ever authenticated". 

The Examiner disagrees with the argument also as discussed above the Bhagavatula teaches that 
the vendor's are authenticated using similar steps as the users in col. 6, 

lines 25-46. Therefore it is understood the products and or services such as access to data in a 
user account held by databases on the vendor system see col. 1, lines 38-49 is authenticated. 
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V) In response to applicant's argument, on pages 15-16 "Furthermore, Bhagavatula does 
not teach or provide a sound technical reason why the needed changes to reach the presently 
claimed invention are necessary. Absent the Office Action point out some teaching or incentive 
to implement Bhagavatula such that a client system transmits a request of authentication of the 
product to a server system, the server system certifies that the product originates from an entity 
... one in the art would not be led to modify Bhagavatula to reach the present invention " 

The Examiner disagrees with the argument Bhagavatula teaches the invention as shown above. 

VI) In response to applicant's argument, on page 16-17, "Graves does not provide for the 
deficiencies of Bhagavatula ". 

The Examiner disagrees with the argument there are no deficiencies in Bhagavatula to the 
claimed subject matter. 

VI) In response to applicant's argument, on page 18-23, "Appellants respectfully submit that 
Graves authentication service does not automatically retrieve a private key of the entity, from 
which the product originates, that is stored on the server system in order to certify that the 
product originates from an entity " 
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The Examiner disagrees with the argument. As noted above Bhagavatula teaches that the 
products are authenticated by a 'server system' i.e. agent. Graves was combined with 
Bhagavatula to teach that the private keys can be retrieved for an entity from multiple systems. 
The storing of private keys is well taught in the Graves reference in the paragraphs cited. 

VII) In response to applicant's argument, on pages 23-25, "Appellants present here for the 
first time the following argument. Appellants respectfully submit that simply integrating a 
Personal Trust Agent (PTA) and authentication and retrieving a key does not teach or provide a 
technical reason for automatically retrieving a private key of the entity, from which the product 
originates, that is stored on the server system, and digitally singing the product using the private 
key. Again, Graves merely authenticates whether a user is authorized to use the payment 
instrument. The certificate does not certify that the product originates from an entity using 
sensitive information of the entity stored on the server system ". 

The Examiner disagrees with argument as noted above Bhagavatula teaches that the product is 
authenticated and Bhagavatula provides a certificate of authentication to the user from a 'server 
system' i.e. the agent. Graves was combined merely to teach that private keys can be stored on 
multiple entities and retrieved by a server system. 

VIII) In response to applicant's argument, on pages 25-27 with respect to Claim 7, "Appellants 
respectfully submit Bhagavatulat and Graves, taken alone or in combination, do not teach or 
provide a technical reason ... Appellants respectfully submit that Graves ' authentication service 
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does not verify when the remote command is included in a predefined list stored on the server 
system ... Nowhere in the Graves reference is there a teaching or technical reason that the 
certificate from the user is compared to a list of certificates much less a list that includes at lest 
one remote command for satisfying the request of authentication ". 

The Examiner disagrees with argument as noted in the Final Office Action Graves teaches the 
limitation in paragraph 53. Claim 7 is shown below: 

"the client system invoking a remote command on the server system, the server system verifying 
whether the remote command is included in a predefined list stored on the server system, the list 
including at least one remote command for satisfying the request of authentication, and the 
server system executing the remote command if included in the list" 

The reference teaches the claimed limitation. Bhagavatula and Graves teaches authenticating 
entities, user and vendor. The Graves references teaches in paragraph 53, by 'clicking button' 
which is equivalent to the "invoking a remote command". The server system executes the 
authentication command which attaches the digital signature. 

IX) In response to applicant's argument on pages 26-27, "In response to the Examiner's 
argument presented in the FOA, Appellants present here for the first time the following 
argument. Graves is directed to authenticating whether a user is authorizsed to use a payment 
instrument ... Appellants respectfully submit that Grave's private key, of the buyer, that is used 
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for authentication and digital signature, of the buyer is not equivalent to the client system 
invoking a remote command on the server system verifying whether the remote command is 
included in a predefined list stored on the server system ". 

The Examiner disagrees with argument for multiple reasons. One the limitations are clearly 
taught in the combination of references. Bhagavatula teaches authenticating the user as well as 
the vendor. Two Graves is utilized because it teaches a server system with the use of private 
keys for authentication purposes. In addition Graves teaches the private keys can be stored 
elsewhere. As well as the server system can be commanded to perform authentication functions. 

X) In response to applicant's arguments on pages 28-41 with respect to claim 8 and the 
arguments previously addressed. 

The Examiner states there are not deficiencies, the combination teaches all the limitations 
presented. 

XI) In response to applicant's argument on pages 3 1 -34, "Moreover, neither reference 
teaches or provides a technical rational for incorporating the subject matter of the other 
reference. That is, there is no motivation offered in either reference for the alleged combination 
... One of ordinary skill in the art, being presented only with Bhagavatula and Graves, and 
without having a prior knowledge of Appellants' claimed invention, would not have found it 
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obvious to combine and modify Bhagavatula and Graves to arrive at Appellants ' claimed 
invention ". 

The Examiner disagree the motivation is shown in the FOA as well both references are directed 
to purchasing or verifying on line transactions. Therefore under the KSR ruling prior art 
references directed to the same subject matter have a motivation to combine. 

For the above reasons, it is believed that the rejections should be sustained. 

Respectfully submitted, 

/ELLEN TRAN/ 

Primary Examiner, Art Unit 2433 

Conferees: 
/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 



/Nasser G Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



